Adjust CORS configuration to support API & OAuth Routes

Fixes #4411 and #3381
2024-03-17 21:43:16 +01:00 · 2024-03-17 21:43:16 +01:00 · 1eadff9d2e
parent c96167f2f7
commit 1eadff9d2e
2 changed files with 8 additions and 5 deletions
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -14,12 +14,12 @@ class Kernel extends HttpKernel
     * @var array
     */
    protected $middleware = [
+        \Illuminate\Http\Middleware\HandleCors::class,
        \Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
        \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
+        \App\Http\Middleware\TrustProxies::class,
        \App\Http\Middleware\TrimStrings::class,
        \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
-        \App\Http\Middleware\TrustProxies::class,
-        \Illuminate\Http\Middleware\HandleCors::class,
    ];

    /**
--- a/config/cors.php
+++ b/config/cors.php
@ -22,7 +22,9 @@ return [
     * Example: ['api/*']
     */
    'paths' => [
-        '.well-known/*'
+        '.well-known/*',
+        'api/*',
+        'oauth/*'
    ],

    /*
@ -48,7 +50,8 @@ return [
    /*
     * Sets the Access-Control-Expose-Headers response header with these headers.
     */
-    'exposed_headers' => [],
+    // TODO: Add support for rate-limit related headers
+    'exposed_headers' => ['Link'],

    /*
     * Sets the Access-Control-Max-Age response header when > 0.
@ -59,4 +62,4 @@ return [
     * Sets the Access-Control-Allow-Credentials header.
     */
    'supports_credentials' => false,
-];
+];